1

Escort Agency Serves Naughty Trojan


ThreatFire team has busted another “in-the-wild” ZBot trojan.

Interesting detail this time is that the trojan is currently hosted at the server with the IP 92.48.71.14 – this is a web server of “London Escorts & Escort Agencies” and its domain name is escortcitylondon.com.

When run, the trojan downloads an encrypted configuration file from 193.27.246.190. The config file instructs the bot to update itself right from the escort site mentioned above.

The trojan attempts to deactivate a number of AV products and firewalls by deleting their registry keys, terminating the processes and modifying the hosts file.

ZBot attempts to steal the contents of online banking forms of the following banks:

  • Bank of America
  • CheBanca!
  • Banca Mediolanum

The targeted banking sites can be seen in its memory contents:


Full ThreatExpert report is available here.

This entry was posted in Online Fraud. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>